Dernières vulnérabilités du Vendredi 7 Juillet 2023

Dernières vulnérabilités du Vendredi 7 Juillet 2023
{{titre}}

Dernière mise à jour efféctuée le 07/07/2023 à 19:34:58

(0) Vulnérabilité(s) CRITICAL [9.0, 10.0]

(6) Vulnérabilité(s) HIGH [7.0, 8.9]

Source : hq.dhs.gov

Vulnérabilité ID : CVE-2023-35120

Première publication le : 07-07-2023 00:15:09
Dernière modification le : 07-07-2023 12:50:22

Description :
PiiGAB M-Bus is vulnerable to cross-site request forgery. An attacker who wants to execute a certain command could send a phishing mail to the owner of the device and hope that the owner clicks on the link. If the owner of the device has a cookie stored that allows the owner to be logged in, then the device could execute the GET or POST link request.

CVE ID : CVE-2023-35120
Source : ics-cert@hq.dhs.gov
Score CVSS : 8.8

Références :
https://www.cisa.gov/news-events/ics-advisories/icsa-23-187-01 | source : ics-cert@hq.dhs.gov

Vulnérabilité : CWE-352


Vulnérabilité ID : CVE-2023-32652

Première publication le : 07-07-2023 00:15:09
Dernière modification le : 07-07-2023 12:50:22

Description :
PiiGAB M-Bus does not validate identification strings before processing, which could make it vulnerable to cross-site scripting attacks.

CVE ID : CVE-2023-32652
Source : ics-cert@hq.dhs.gov
Score CVSS : 8.0

Références :
https://www.cisa.gov/news-events/ics-advisories/icsa-23-187-01 | source : ics-cert@hq.dhs.gov

Vulnérabilité : CWE-79


Vulnérabilité ID : CVE-2023-34433

Première publication le : 07-07-2023 00:15:09
Dernière modification le : 07-07-2023 12:50:22

Description :
PiiGAB M-Bus stores passwords using a weak hash algorithm.

CVE ID : CVE-2023-34433
Source : ics-cert@hq.dhs.gov
Score CVSS : 7.5

Références :
https://www.cisa.gov/news-events/ics-advisories/icsa-23-187-01 | source : ics-cert@hq.dhs.gov

Vulnérabilité : CWE-916


Vulnérabilité ID : CVE-2023-34995

Première publication le : 07-07-2023 00:15:09
Dernière modification le : 07-07-2023 12:50:22

Description :
There are no requirements for setting a complex password for PiiGAB M-Bus, which could contribute to a successful brute force attack if the password is inline with recommended password guidelines.

CVE ID : CVE-2023-34995
Source : ics-cert@hq.dhs.gov
Score CVSS : 7.5

Références :
https://www.cisa.gov/news-events/ics-advisories/icsa-23-187-01 | source : ics-cert@hq.dhs.gov

Vulnérabilité : CWE-521


Source : huntr.dev

Vulnérabilité ID : CVE-2023-3532

Première publication le : 07-07-2023 03:15:09
Dernière modification le : 07-07-2023 12:50:22

Description :
Cross-site Scripting (XSS) - Stored in GitHub repository outline/outline prior to 0.70.1.

CVE ID : CVE-2023-3532
Source : security@huntr.dev
Score CVSS : 8.5

Références :
https://github.com/outline/outline/commit/9431df45c210e85b77cd27f2ffaf0358b837afa3 | source : security@huntr.dev
https://huntr.dev/bounties/ebd2428a-e2cb-480e-ba37-dd89ad62cf1b | source : security@huntr.dev

Vulnérabilité : CWE-79


Source : suse.de

Vulnérabilité ID : CVE-2023-32183

Première publication le : 07-07-2023 09:15:10
Dernière modification le : 07-07-2023 12:50:22

Description :
Incorrect Default Permissions vulnerability in the openSUSE Tumbleweed hawk2 package allows users with access to the hacluster to escalate to root This issue affects openSUSE Tumbleweed.

CVE ID : CVE-2023-32183
Source : meissner@suse.de
Score CVSS : 7.8

Références :
https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-32183 | source : meissner@suse.de

Vulnérabilité : CWE-276


(4) Vulnérabilité(s) MEDIUM [4.0, 6.9]

Source : hq.dhs.gov

Vulnérabilité ID : CVE-2023-35765

Première publication le : 07-07-2023 00:15:09
Dernière modification le : 07-07-2023 12:50:22

Description :
PiiGAB M-Bus stores credentials in a plaintext file, which could allow a low-level user to gain admin credentials.

CVE ID : CVE-2023-35765
Source : ics-cert@hq.dhs.gov
Score CVSS : 6.5

Références :
https://www.cisa.gov/news-events/ics-advisories/icsa-23-187-01 | source : ics-cert@hq.dhs.gov

Vulnérabilité : CWE-256


Source : vuldb.com

Vulnérabilité ID : CVE-2023-3534

Première publication le : 07-07-2023 12:15:09
Dernière modification le : 07-07-2023 12:50:22

Description :
A vulnerability was found in SourceCodester Shopping Website 1.0. It has been classified as critical. Affected is an unknown function of the file check_availability.php. The manipulation of the argument email leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-233286 is the identifier assigned to this vulnerability.

CVE ID : CVE-2023-3534
Source : cna@vuldb.com
Score CVSS : 6.3

Références :
https://github.com/DUA0G/cve/blob/main/1.pdf | source : cna@vuldb.com
https://vuldb.com/?ctiid.233286 | source : cna@vuldb.com
https://vuldb.com/?id.233286 | source : cna@vuldb.com

Vulnérabilité : CWE-89


Source : us.ibm.com

Vulnérabilité ID : CVE-2023-35890

Première publication le : 07-07-2023 03:15:09
Dernière modification le : 07-07-2023 12:50:22

Description :
IBM WebSphere Application Server 8.5 and 9.0 could provide weaker than expected security, caused by the improper encoding in a local configuration file. IBM X-Force ID: 258637.

CVE ID : CVE-2023-35890
Source : psirt@us.ibm.com
Score CVSS : 5.1

Références :
https://https://www.ibm.com/support/pages/node/7007857 | source : psirt@us.ibm.com
https://www.ibm.com/support/pages/node/7007857 | source : psirt@us.ibm.com

Vulnérabilité : CWE-327


Source : google.com

Vulnérabilité ID : CVE-2020-8934

Première publication le : 07-07-2023 12:15:09
Dernière modification le : 07-07-2023 12:50:22

Description :
The Site Kit by Google plugin for WordPress is vulnerable to Sensitive Information Disclosure in versions up to, and including, 1.8.0 This is due to the lack of capability checks on the admin_enqueue_scripts action which displays the connection key. This makes it possible for authenticated attackers with any level of access obtaining owner access to a site in the Google Search Console. We recommend upgrading to V1.8.1 or above.

CVE ID : CVE-2020-8934
Source : cve-coordination@google.com
Score CVSS : 4.3

Références :
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/google-site-kit/site-kit-by-google-171-sensitive-information-disclosure | source : cve-coordination@google.com

Vulnérabilité : CWE-252


(11) Vulnérabilité(s) LOW [0.1, 3.9]

Source : github.com

Vulnérabilité ID : CVE-2023-37264

Première publication le : 07-07-2023 17:15:10
Dernière modification le : 07-07-2023 17:15:10

Description :
Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 0.35.0, pipelines do not validate child UIDs, which means that a user that has access to create TaskRuns can create their own Tasks that the Pipelines controller will accept as the child Task. While the software stores and validates the PipelineRun's (api version, kind, name, uid) in the child Run's OwnerReference, it only store (api version, kind, name) in the ChildStatusReference. This means that if a client had access to create TaskRuns on a cluster, they could create a child TaskRun for a pipeline with the same name + owner reference, and the Pipeline controller picks it up as if it was the original TaskRun. This is problematic since it can let users modify the config of Pipelines at runtime, which violates SLSA L2 Service Generated / Non-falsifiable requirements. This issue can be used to trick the Pipeline controller into associating unrelated Runs to the Pipeline, feeding its data through the rest of the Pipeline. This requires access to create TaskRuns, so impact may vary depending on one Tekton setup. If users already have unrestricted access to create any Task/PipelineRun, this does not grant any additional capabilities. As of time of publication, there are no known patches for this issue.

CVE ID : CVE-2023-37264
Source : security-advisories@github.com
Score CVSS : 3.7

Références :
https://github.com/tektoncd/pipeline/blob/2d38f5fa840291395178422d34b36b1bc739e2a2/pkg/reconciler/pipelinerun/pipelinerun.go#L1358-L1372 | source : security-advisories@github.com
https://github.com/tektoncd/pipeline/security/advisories/GHSA-w2h3-vvvq-3m53 | source : security-advisories@github.com
https://pkg.go.dev/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1#ChildStatusReference | source : security-advisories@github.com

Vulnérabilité : CWE-345


Source : vuldb.com

Vulnérabilité ID : CVE-2023-3535

Première publication le : 07-07-2023 13:15:09
Dernière modification le : 07-07-2023 14:54:15

Description :
A vulnerability was found in SimplePHPscripts FAQ Script PHP 2.3. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /preview.php of the component URL Parameter Handler. The manipulation leads to cross site scripting. The attack can be launched remotely. The associated identifier of this vulnerability is VDB-233287.

CVE ID : CVE-2023-3535
Source : cna@vuldb.com
Score CVSS : 3.5

Références :
https://vuldb.com/?ctiid.233287 | source : cna@vuldb.com
https://vuldb.com/?id.233287 | source : cna@vuldb.com

Vulnérabilité : CWE-79


Vulnérabilité ID : CVE-2023-3536

Première publication le : 07-07-2023 13:15:09
Dernière modification le : 07-07-2023 14:54:15

Description :
A vulnerability was found in SimplePHPscripts Funeral Script PHP 3.1. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /preview.php of the component URL Parameter Handler. The manipulation leads to cross site scripting. The attack may be launched remotely. The identifier of this vulnerability is VDB-233288.

CVE ID : CVE-2023-3536
Source : cna@vuldb.com
Score CVSS : 3.5

Références :
https://vuldb.com/?ctiid.233288 | source : cna@vuldb.com
https://vuldb.com/?id.233288 | source : cna@vuldb.com

Vulnérabilité : CWE-79


Vulnérabilité ID : CVE-2023-3537

Première publication le : 07-07-2023 14:15:09
Dernière modification le : 07-07-2023 14:54:15

Description :
A vulnerability classified as problematic has been found in SimplePHPscripts News Script PHP Pro 2.4. This affects an unknown part of the file /preview.php of the component URL Parameter Handler. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The identifier VDB-233289 was assigned to this vulnerability.

CVE ID : CVE-2023-3537
Source : cna@vuldb.com
Score CVSS : 3.5

Références :
https://vuldb.com/?ctiid.233289 | source : cna@vuldb.com
https://vuldb.com/?id.233289 | source : cna@vuldb.com

Vulnérabilité : CWE-79


Vulnérabilité ID : CVE-2023-3538

Première publication le : 07-07-2023 14:15:09
Dernière modification le : 07-07-2023 14:54:15

Description :
A vulnerability classified as problematic was found in SimplePHPscripts Photo Gallery PHP 2.0. This vulnerability affects unknown code of the file /preview.php of the component URL Parameter Handler. The manipulation leads to cross site scripting. The attack can be initiated remotely. VDB-233290 is the identifier assigned to this vulnerability.

CVE ID : CVE-2023-3538
Source : cna@vuldb.com
Score CVSS : 3.5

Références :
https://vuldb.com/?ctiid.233290 | source : cna@vuldb.com
https://vuldb.com/?id.233290 | source : cna@vuldb.com

Vulnérabilité : CWE-79


Vulnérabilité ID : CVE-2023-3539

Première publication le : 07-07-2023 15:15:10
Dernière modification le : 07-07-2023 15:46:57

Description :
A vulnerability, which was classified as problematic, has been found in SimplePHPscripts Simple Forum PHP 2.7. This issue affects some unknown processing of the file /preview.php of the component URL Parameter Handler. The manipulation leads to cross site scripting. The attack may be initiated remotely. The associated identifier of this vulnerability is VDB-233291.

CVE ID : CVE-2023-3539
Source : cna@vuldb.com
Score CVSS : 3.5

Références :
https://vuldb.com/?ctiid.233291 | source : cna@vuldb.com
https://vuldb.com/?id.233291 | source : cna@vuldb.com

Vulnérabilité : CWE-79


Vulnérabilité ID : CVE-2023-3540

Première publication le : 07-07-2023 15:15:10
Dernière modification le : 07-07-2023 15:46:57

Description :
A vulnerability, which was classified as problematic, was found in SimplePHPscripts NewsLetter Script PHP 2.4. Affected is an unknown function of the file /preview.php of the component URL Parameter Handler. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. The identifier of this vulnerability is VDB-233292.

CVE ID : CVE-2023-3540
Source : cna@vuldb.com
Score CVSS : 3.5

Références :
https://vuldb.com/?ctiid.233292 | source : cna@vuldb.com
https://vuldb.com/?id.233292 | source : cna@vuldb.com

Vulnérabilité : CWE-79


Vulnérabilité ID : CVE-2023-3541

Première publication le : 07-07-2023 16:15:09
Dernière modification le : 07-07-2023 16:15:09

Description :
A vulnerability has been found in ThinuTech ThinuCMS 1.5 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /author_posts.php. The manipulation of the argument author with the input g6g12<script>alert(1)</script>o8sdm leads to cross site scripting. The attack can be launched remotely. The identifier VDB-233293 was assigned to this vulnerability.

CVE ID : CVE-2023-3541
Source : cna@vuldb.com
Score CVSS : 3.5

Références :
https://vuldb.com/?ctiid.233293 | source : cna@vuldb.com
https://vuldb.com/?id.233293 | source : cna@vuldb.com

Vulnérabilité : CWE-79


Vulnérabilité ID : CVE-2023-3542

Première publication le : 07-07-2023 16:15:09
Dernière modification le : 07-07-2023 16:15:09

Description :
A vulnerability was found in ThinuTech ThinuCMS 1.5 and classified as problematic. Affected by this issue is some unknown functionality of the file /contact.php. The manipulation of the argument name/body leads to cross site scripting. The attack may be launched remotely. VDB-233294 is the identifier assigned to this vulnerability.

CVE ID : CVE-2023-3542
Source : cna@vuldb.com
Score CVSS : 3.5

Références :
https://vuldb.com/?ctiid.233294 | source : cna@vuldb.com
https://vuldb.com/?id.233294 | source : cna@vuldb.com

Vulnérabilité : CWE-79


Vulnérabilité ID : CVE-2023-3543

Première publication le : 07-07-2023 17:15:10
Dernière modification le : 07-07-2023 17:15:10

Description :
A vulnerability was found in GZ Scripts Availability Booking Calendar PHP 1.8. It has been classified as problematic. This affects an unknown part of the file load.php of the component HTTP POST Request Handler. The manipulation of the argument cid/first_name/second_name/address_1/country leads to cross site scripting. It is possible to initiate the attack remotely. The associated identifier of this vulnerability is VDB-233295. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVE ID : CVE-2023-3543
Source : cna@vuldb.com
Score CVSS : 3.5

Références :
https://vuldb.com/?ctiid.233295 | source : cna@vuldb.com
https://vuldb.com/?id.233295 | source : cna@vuldb.com

Vulnérabilité : CWE-79


Vulnérabilité ID : CVE-2023-3544

Première publication le : 07-07-2023 17:15:10
Dernière modification le : 07-07-2023 17:15:10

Description :
A vulnerability was found in GZ Scripts Time Slot Booking Calendar PHP 1.8. It has been declared as problematic. This vulnerability affects unknown code of the file /load.php. The manipulation of the argument first_name/second_name/phone/address_1/country leads to cross site scripting. The attack can be initiated remotely. The identifier of this vulnerability is VDB-233296. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVE ID : CVE-2023-3544
Source : cna@vuldb.com
Score CVSS : 3.5

Références :
https://vuldb.com/?ctiid.233296 | source : cna@vuldb.com
https://vuldb.com/?id.233296 | source : cna@vuldb.com

Vulnérabilité : CWE-79


(22) Vulnérabilité(s) NO SCORE [0.0, 0.0]

Source : mitre.org

Vulnérabilité ID : CVE-2023-37192

Première publication le : 07-07-2023 00:15:10
Dernière modification le : 07-07-2023 12:50:22

Description :
Memory management and protection issues in Bitcoin Core v22 allows attackers to modify the stored sending address within the app's memory, potentially allowing them to redirect Bitcoin transactions to wallets of their own choosing.

CVE ID : CVE-2023-37192
Source : cve@mitre.org
Score CVSS : /

Références :
https://bitcoin.org/en/bitcoin-core/ | source : cve@mitre.org
https://satoshihunter1.blogspot.com/2023/06/the-bitcoin-app-is-vulnerable-to-hackers.html | source : cve@mitre.org
https://www.youtube.com/watch?v=oEl4M1oZim0 | source : cve@mitre.org


Vulnérabilité ID : CVE-2023-34197

Première publication le : 07-07-2023 13:15:09
Dernière modification le : 07-07-2023 14:54:15

Description :
Zoho ManageEngine ServiceDesk Plus before 14202, ServiceDesk Plus MSP before 14300, and SupportCenter Plus before 14300 have a privilege escalation vulnerability in the Release module that allows unprivileged users to access the Reminders of a release ticket and make modifications.

CVE ID : CVE-2023-34197
Source : cve@mitre.org
Score CVSS : /

Références :
https://www.manageengine.com/products/service-desk/CVE-2023-34197.html | source : cve@mitre.org


Vulnérabilité ID : CVE-2023-37308

Première publication le : 07-07-2023 13:15:09
Dernière modification le : 07-07-2023 14:54:15

Description :
Zoho ManageEngine ADAudit Plus before 7100 allows XSS via the username field.

CVE ID : CVE-2023-37308
Source : cve@mitre.org
Score CVSS : /

Références :
https://www.manageengine.com/products/active-directory-audit/cve-2023-37308.html | source : cve@mitre.org


Vulnérabilité ID : CVE-2023-37144

Première publication le : 07-07-2023 14:15:09
Dernière modification le : 07-07-2023 14:54:15

Description :
Tenda AC10 v15.03.06.26 was discovered to contain a command injection vulnerability via the mac parameter in the function formWriteFacMac.

CVE ID : CVE-2023-37144
Source : cve@mitre.org
Score CVSS : /

Références :
https://github.com/DaDong-G/Vulnerability_info/blob/main/ac10_command_injection/Readme.md | source : cve@mitre.org


Vulnérabilité ID : CVE-2023-37145

Première publication le : 07-07-2023 14:15:09
Dernière modification le : 07-07-2023 14:54:15

Description :
TOTOLINK LR350 V9.3.5u.6369_B20220309 was discovered to contain a command injection vulnerability via the hostname parameter in the setOpModeCfg function.

CVE ID : CVE-2023-37145
Source : cve@mitre.org
Score CVSS : /

Références :
https://github.com/DaDong-G/Vulnerability_info/blob/main/TOTOLINK/lr350/1/Readme.md | source : cve@mitre.org


Vulnérabilité ID : CVE-2023-37146

Première publication le : 07-07-2023 14:15:09
Dernière modification le : 07-07-2023 14:54:15

Description :
TOTOLINK LR350 V9.3.5u.6369_B20220309 was discovered to contain a command injection vulnerability via the FileName parameter in the UploadFirmwareFile function.

CVE ID : CVE-2023-37146
Source : cve@mitre.org
Score CVSS : /

Références :
https://github.com/DaDong-G/Vulnerability_info/tree/main/TOTOLINK/lr350/2 | source : cve@mitre.org


Vulnérabilité ID : CVE-2023-37148

Première publication le : 07-07-2023 14:15:09
Dernière modification le : 07-07-2023 14:54:15

Description :
TOTOLINK LR350 V9.3.5u.6369_B20220309 was discovered to contain a command injection vulnerability via the ussd parameter in the setUssd function.

CVE ID : CVE-2023-37148
Source : cve@mitre.org
Score CVSS : /

Références :
https://github.com/DaDong-G/Vulnerability_info/blob/main/TOTOLINK/lr350/3/README.md | source : cve@mitre.org


Vulnérabilité ID : CVE-2023-37149

Première publication le : 07-07-2023 14:15:09
Dernière modification le : 07-07-2023 14:54:15

Description :
TOTOLINK LR350 V9.3.5u.6369_B20220309 was discovered to contain a command injection vulnerability via the FileName parameter in the setUploadSetting function.

CVE ID : CVE-2023-37149
Source : cve@mitre.org
Score CVSS : /

Références :
https://github.com/DaDong-G/Vulnerability_info/blob/main/TOTOLINK/lr350/4/README.md | source : cve@mitre.org


Vulnérabilité ID : CVE-2023-25201

Première publication le : 07-07-2023 16:15:09
Dernière modification le : 07-07-2023 16:15:09

Description :
Cross Site Request Forgery (CSRF) vulnerability in MultiTech Conduit AP MTCAP2-L4E1 MTCAP2-L4E1-868-042A v.6.0.0 allows a remote attacker to execute arbitrary code via a crafted script upload.

CVE ID : CVE-2023-25201
Source : cve@mitre.org
Score CVSS : /

Références :
https://herolab.usd.de/security-advisories/ | source : cve@mitre.org
https://www.multitech.com | source : cve@mitre.org


Vulnérabilité ID : CVE-2023-29998

Première publication le : 07-07-2023 16:15:09
Dernière modification le : 07-07-2023 16:15:09

Description :
A Cross-site scripting (XSS) vulnerability in the content editor in Gis3W g3w-suite 3.5 allows remote authenticated users to inject arbitrary web script or HTML and gain privileges via the description parameter.

CVE ID : CVE-2023-29998
Source : cve@mitre.org
Score CVSS : /

Références :
https://github.com/g3w-suite | source : cve@mitre.org
https://labs.yarix.com/2023/07/gis3w-persistent-xss-in-g3wsuite-3-5-cve-2023-29998/ | source : cve@mitre.org


Vulnérabilité ID : CVE-2023-33664

Première publication le : 07-07-2023 16:15:09
Dernière modification le : 07-07-2023 16:15:09

Description :
ai-dev aicombinationsonfly before v0.3.1 was discovered to contain a SQL injection vulnerability via the component /includes/ajax.php.

CVE ID : CVE-2023-33664
Source : cve@mitre.org
Score CVSS : /

Références :
https://security.friendsofpresta.org/modules/2023/06/28/aicombinationsonfly.html | source : cve@mitre.org
https://www.boutique.ai-dev.fr/en/ergonomie/61-combinations-on-fly.html | source : cve@mitre.org


Vulnérabilité ID : CVE-2023-36201

Première publication le : 07-07-2023 16:15:09
Dernière modification le : 07-07-2023 16:15:09

Description :
An issue in JerryscriptProject jerryscript v.3.0.0 allows an attacker to obtain sensitive information via a crafted script to the arrays.

CVE ID : CVE-2023-36201
Source : cve@mitre.org
Score CVSS : /

Références :
https://github.com/jerryscript-project/jerryscript/issues/5026 | source : cve@mitre.org


Vulnérabilité ID : CVE-2023-27845

Première publication le : 07-07-2023 17:15:09
Dernière modification le : 07-07-2023 17:15:09

Description :
SQL injection vulnerability found in PrestaShop lekerawen_ocs before v.1.4.1 allow a remote attacker to gain privileges via the KerawenHelper::setCartOperationInfo, and KerawenHelper::resetCheckoutSessionData components.

CVE ID : CVE-2023-27845
Source : cve@mitre.org
Score CVSS : /

Références :
https://kerawen.com/logiciel-de-caisse/ | source : cve@mitre.org
https://security.friendsofpresta.org/modules/2023/07/06/kerawen_ocs.html | source : cve@mitre.org


Vulnérabilité ID : CVE-2023-33715

Première publication le : 07-07-2023 17:15:09
Dernière modification le : 07-07-2023 17:15:09

Description :
A buffer overflow in ACDSee Free v2.0.2.227 allows attackers to cause a Denial of Service (DoS) via unspecified vectors.

CVE ID : CVE-2023-33715
Source : cve@mitre.org
Score CVSS : /

Références :
http://acd.com | source : cve@mitre.org
http://acdsee.com | source : cve@mitre.org
https://github.com/zclrsr/CVE-Reports/blob/main/ACDSee/CVE-2023-33715.md | source : cve@mitre.org


Vulnérabilité ID : CVE-2023-37061

Première publication le : 07-07-2023 17:15:09
Dernière modification le : 07-07-2023 17:15:09

Description :
Chamilo 1.11.x up to 1.11.20 allows users with an admin privilege account to insert XSS in the languages management section.

CVE ID : CVE-2023-37061
Source : cve@mitre.org
Score CVSS : /

Références :
https://github.com/chamilo/chamilo-lms/commit/75e9b3e0acac6f7a643da6ff19a00d55a94417a1 | source : cve@mitre.org
https://support.chamilo.org/projects/1/wiki/Security_issues#Issue-116-2023-06-06-Low-impact-Low-risk-XSS-through-admin-account-languages-management | source : cve@mitre.org


Vulnérabilité ID : CVE-2023-37062

Première publication le : 07-07-2023 17:15:09
Dernière modification le : 07-07-2023 17:15:09

Description :
Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the course categories' definition.

CVE ID : CVE-2023-37062
Source : cve@mitre.org
Score CVSS : /

Références :
https://github.com/chamilo/chamilo-lms/commit/c263933d1d958edee3999820f636c8cb919d03d1 | source : cve@mitre.org
https://support.chamilo.org/projects/1/wiki/Security_issues#Issue-115-2023-06-06-Low-impact-Low-risk-XSS-through-admin-account-course-category | source : cve@mitre.org


Vulnérabilité ID : CVE-2023-37063

Première publication le : 07-07-2023 17:15:09
Dernière modification le : 07-07-2023 17:15:09

Description :
Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the careers & promotions management section.

CVE ID : CVE-2023-37063
Source : cve@mitre.org
Score CVSS : /

Références :
https://github.com/chamilo/chamilo-lms/commit/546a18b0bd1446123f4e29f81f42e71b761f51b7 | source : cve@mitre.org
https://support.chamilo.org/projects/1/wiki/Security_issues#Issue-117-2023-06-06-Low-impact-Low-risk-XSS-through-admin-account-careers-amp-promotions-management | source : cve@mitre.org


Vulnérabilité ID : CVE-2023-37064

Première publication le : 07-07-2023 17:15:10
Dernière modification le : 07-07-2023 17:15:10

Description :
Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the extra fields management section.

CVE ID : CVE-2023-37064
Source : cve@mitre.org
Score CVSS : /

Références :
https://github.com/chamilo/chamilo-lms/commit/91ecc6141de6de9483c5a31fbb9fa91450f24940 | source : cve@mitre.org
https://support.chamilo.org/projects/1/wiki/Security_issues#Issue-119-2023-06-06-Low-impact-Low-risk-XSS-through-admin-account-extra-fields-management | source : cve@mitre.org


Vulnérabilité ID : CVE-2023-37065

Première publication le : 07-07-2023 17:15:10
Dernière modification le : 07-07-2023 17:15:10

Description :
Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the session category management section.

CVE ID : CVE-2023-37065
Source : cve@mitre.org
Score CVSS : /

Références :
https://github.com/chamilo/chamilo-lms/commit/da61f287d2e508a5e940953b474051d0f21e91c0 | source : cve@mitre.org
https://support.chamilo.org/projects/1/wiki/Security_issues#Issue-118-2023-06-06-Low-impact-Low-risk-XSS-through-admin-account-session-category-management | source : cve@mitre.org


Vulnérabilité ID : CVE-2023-37066

Première publication le : 07-07-2023 17:15:10
Dernière modification le : 07-07-2023 17:15:10

Description :
Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the skills wheel.

CVE ID : CVE-2023-37066
Source : cve@mitre.org
Score CVSS : /

Références :
https://github.com/chamilo/chamilo-lms/commit/4f7b5ebf90c35999917c231276e47a4184275690 | source : cve@mitre.org
https://support.chamilo.org/projects/1/wiki/Security_issues#Issue-114-2023-06-06-Low-impact-Low-risk-XSS-through-admin-account-skills | source : cve@mitre.org


Vulnérabilité ID : CVE-2023-37067

Première publication le : 07-07-2023 17:15:10
Dernière modification le : 07-07-2023 17:15:10

Description :
Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the classes/usergroups management section.

CVE ID : CVE-2023-37067
Source : cve@mitre.org
Score CVSS : /

Références :
https://github.com/chamilo/chamilo-lms/commit/c75ff227bcf00e9f88e9477b78eaeed9e0668905 | source : cve@mitre.org
https://support.chamilo.org/projects/1/wiki/Security_issues#Issue-120-2023-06-07-Low-impact-Low-risk-XSS-through-admin-account-classesusergroups-management | source : cve@mitre.org


Source : apache.org

Vulnérabilité ID : CVE-2023-33008

Première publication le : 07-07-2023 10:15:09
Dernière modification le : 07-07-2023 12:50:22

Description :
Deserialization of Untrusted Data vulnerability in Apache Software Foundation Apache Johnzon. A malicious attacker can craft up some JSON input that uses large numbers (numbers such as 1e20000000) that Apache Johnzon will deserialize into BigDecimal and maybe use numbers too large which may result in a slow conversion (Denial of service risk). Apache Johnzon 1.2.21 mitigates this by setting a scale limit of 1000 (by default) to the BigDecimal. This issue affects Apache Johnzon: through 1.2.20.

CVE ID : CVE-2023-33008
Source : security@apache.org
Score CVSS : /

Références :
https://lists.apache.org/thread/qbg14djo95gfpk7o560lr8wcrzfyw43l | source : security@apache.org

Vulnérabilité : CWE-502


Ce site web utilise l'API de la NVD, mais n'est pas approuvé ou certifié par la NVD.

About the author
Julien B.

Securitricks

Up-to-Date Cybersecurity Insights & Malware Reports

Securitricks

Great! You’ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to Securitricks.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.